Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
3
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
linkinfo - openbasedir bypass on Windows PHP
Internet Bug Bounty Improper Access Control - Generic (CWE-284)
Medium
2018-10-15
CORS on (ws.infogram.com)
Infogram Improper Access Control - Generic (CWE-284)
Low
2018-10-08
Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com
Chaturbate Improper Access Control - Generic (CWE-284)
None
2018-10-04
Stats Token doesn't expire after deactivating account
Chaturbate Improper Access Control - Generic (CWE-284)
Low
2018-09-27
Private and group tokens per minute endpoint active for disabled users
Chaturbate Improper Access Control - Generic (CWE-284)
Low
2018-09-27
Access control issue -- [Allow file system access not validated when using session auth]
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2018-16466
Medium
2018-09-25
Users may still able to view chat room panel of password protected rooms
Chaturbate Improper Access Control - Generic (CWE-284)
Medium
2018-09-20
Improper Access Control on Onelogin in multi-layered architecture
Uber Improper Access Control - Generic (CWE-284)
Unknown
2018-08-08
svcardproxydevus.starbucks.com Subdomain take over
Starbucks Improper Access Control - Generic (CWE-284)
High
2018-07-23
Suspended users can bypass UGC upload ban
Valve Improper Access Control - Generic (CWE-284)
Low
2018-07-02
[engineering.udemy.com] - Subdomain Takeover (ghost.io)
Udemy Improper Access Control - Generic (CWE-284)
Low
2018-06-27
Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot
HackerOne Improper Access Control - Generic (CWE-284)
Low
2018-06-27
File access control rules not enforced on image files
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2018-3762
Low
2018-06-15
Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C
Shopify Improper Access Control - Generic (CWE-284)
Low
2018-06-15
Origin IP found, Cloudflare bypassed
Liberapay Improper Access Control - Generic (CWE-284)
Medium
2018-06-02
GitHub import allows user to create child group under existing namespace
GitLab Improper Access Control - Generic (CWE-284)CVE-2017-0919
High
2018-05-24
ability to install paid themes for free
Shopify Improper Access Control - Generic (CWE-284)
Medium
2018-05-16
Unintentional file creation caused at Tempfile with directory traversal
Ruby Improper Access Control - Generic (CWE-284)CVE-2018-6914
Unknown
2018-04-01
The possibility that unintended file operation may be performed because some methods of `Dir` do not check NULL characters.
Ruby Improper Access Control - Generic (CWE-284)CVE-2018-8780
Unknown
2018-04-01
Unix domain socket and a path containing a null character
Ruby Improper Access Control - Generic (CWE-284)CVE-2018-8779
Unknown
2018-03-31
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239